We have developed few APIs in SAP BTP with RAP (or going forward we can use CAP) .How is the security handled .
As per my understanding there are to way .
1:) XSUAA .This will create a service key .When the 3rd party system will use this URL , They will give the Client ID and Client Secret as the Username and Password .
2:)API management :- We maintain the API in API management tool. It will give a API key .Use the API key in header to when calling the API .
Is my understanding right , these are the only two ways .
And which one to use .Can we have a project will use only XSUAA and we don't maintain the API in API management tool
Or is it mandatory that we use API management .???